Concerns for Biometrics in a Touchless Workplace

By Mimi Perka

Covid-19 has undoubtedly affected the world on a massive scale for almost two years now. As employees return to a sense of normalcy in the workplace, a new set of privacy concerns have risen due to the increased use of biometric systems, aimed at combating the spread of the virus.^[1]

To mitigate the immediate risks and concerns as employees return to work, many employers have turned to biometrics devices such as facial recognition technology, non-contact infrared thermometers, thermal imaging, and wearable radiometric thermometry systems.^[2] While these systems could protect their workplaces from potential outbreaks of Covid-19, these systems could also lead to legal implications for those businesses that assume the risks of employing biometric systems in the workplace.^[3]

Biometric-enabled devices have become ubiquitous in the workplace due to the accurate, reliable, and facile methods of collecting and storing employee information.^[4] In recent years, many employers replaced the traditional paper-based time cards with biometric fingerprint readers.^[5] However, as these devices were among the most heavily touched devices in the workplace, many employers looked to facial recognition time and timekeeping systems to provide a contactless time and attendance solution.^[6]

As many helpful aspects that biometrics systems might have in the workplace, especially throughout the pandemic, these systems have caused widespread concern among employees whose data is being used, collected, and stored. Notably, employees worry about the transaction, lack of disclosure, and destruction of such biometric data.^[7]

As concerns rise, a few states have taken the lead on protecting individual rights and restricting the collection and use of biometric information by requiring notice and consent from individuals.^[8]

The Illinois Biometric Information Privacy Act (BIPA) has been the forerunner of modern biometric information privacy laws in the United States.^[9] BIPA prohibits private entities from collecting, using, storing, or disclosing biometric data without providing notice and obtaining a written release from individuals before collecting such information.^[10] In a recent decision in Cothron v. White Castle System, Inc., a federal court interpreting Illinois law found that employers could be liable for in excess of $1,000 per day, per employee, for each day that biometric information was collected, stored, or used improperly.^[11]

In this case, the named plaintiff was asked to use her fingerprint to access the computer system each time she needed access to the system. As the plaintiff was the manager, she frequently needed access in this capacity.[12] After several years of having her biometric data scanned and collected without written release, the plaintiff filed a class action lawsuit against her employer in violation of BIPA.[13]

The most notable aspect of BIPA is that the law does not require an “injury in fact” for legal standing– the person bringing an action under BIPA need not have sustained actual damage beyond the violation of the person’s rights under BIPA.^[14] The Seventh Circuit held in Fox v. Dakkota Integrated Systems, LLC that an employer who fails to adhere to restrictions on biometric data retention imparts as a concrete injury, as does a violation of restrictions on biometric data collection.^[15]

While BIPA is the most well-known law of this type, other states–such as Texas, California, Washington, and Arkansas–have enacted legislation to regulate biometrics.^[16] Additionally, many other states–including Arizona, Florida, and Massachusetts– have all proposed bills to protect biometric data.^[17]

Thus, as the country continues to face the challenges associated with Covid-19, and as more states enact legislation on biometric data, employers will undoubtedly continue to struggle with the dichotomy between using data to keep employees safe and to comply with biometric data legislation.

^[1] David Oberly, Biometric Data and COVID-19 in the Workplace, JDSUPRA Legal News (Nov. 23, 2020), https://www.jdsupra.com/legalnews/biometric-data-and-covid-19-in-the-86112/.

^[2] Mary Margaret Moore, Patrick DePoy, & Lauren J. Caisman, U.S. Covid-19: Biometrics and Business Re-Opening, BCLP At Work (May 14, 2020), https://www.bclplaw.com/en-US/insights/blogs/bclp-at-work/u-s-covid-19-biometrics-and-business-re-opening.html.

^[3] Christopher Jevsevar, The Legal Minefield Surrounding Biometrics In The Workplace, Fisher Phillips Insights (Oct. 2, 2020), https://www.fisherphillips.com/news-insights/the-legal-minefield-surrounding-biometrics-in-the-workplace.html.

^[4] Id.

^[5] Oberly, supra note 1.

^[6] Id.

^[7] Susan Gross Sholinsky, Shawndra G. Jones, & Brian G. Cesaratto, Updates on Biometrics in the Workplace: Scanning the Legal Landscape in New York and Beyond, Epstein Becker Green Insights (Aug. 19, 2021), https://www.ebglaw.com/insights/updates-on-biometrics-in-the-workplace-scanning-the-legal-landscape-in-new-york-and-beyond/.

^[8] Id.

^[9] Jevsevar, supra note 3.

^[10] Oberly, supra note 1.

^[11] Joel W. Rice & Franklin Z. Wolf, The Illinois Biometrical Landscape Gets Even Tougher for Employers, Fisher Phillips Insights (Sep. 17, 2020), https://www.fisherphillips.com/news-insights/the-illinois-biometric-landscape-gets-even-tougher-for-employers.html.

[12] Id.

[13] Id.

^[14] Sholinsky, Jones, & Cesaratto, supra note 7.

^[15] Id.

^[16] Natalie A. Prescott, The Anatomy of Biometric Laws: What U.S. Companies Need to Know in 2020, Nat’l L. Rev. (Jan. 15, 2020), https://www.natlawreview.com/article/anatomy-biometric-laws-what-us-companies-need-to-know-2020.

^[17] Jevsevar, supra note 3.

Image source: https://www.jonesday.com/en/insights/2017/11/biometric-data-in-the-workplace-could-trigger-privacy-litigation-wave